On June 12, OCR issued guidance clarifying that HIPAA permits the use of PHI by health care providers to identify and contact patients who have recovered from COVID-19 about blood and plasma donations. Specifically, the guidance notes that use of PHI in this manner is permitted as a population-based activity under the definition of health care operations, subject to the minimum necessary standard. The guidance further notes that identifying a particular blood and plasma donation center within the communication would constitute marketing, requiring patient authorization. However, so long as the provider does not receive any direct or indirect payment from any third party described in the communication, an exception would apply and authorization would not be required. OCR reiterates that PHI cannot be disclosed to a third party for use in marketing communications without authorization from the individual.